Over the past several years, organizations large and small have initiated or continued data center consolidation projects. Unlike some other IT initiatives, the benefits from this exercise are clear and well-documented, and include both economic and operations advantages.
The reality remains that the data center frequently contains an organization’s most important asset: Information. Given the prodigious efforts to collect and provide access to this corporate resource, have we been equally vigilant in protecting it as well? Unfortunately not.
Let’s examine the unanticipated side effects of data center consolidation and consider a proactive strategy for mitigating those risks prior to completion of the project. The following is not a step-by-step guide to consolidating a data center, but rather a timely analysis of overlooked elements.
Too often, a re-engineering effort quickly follows a consolidation project because the operational benefits are negated by amplified vulnerabilities, which include information risk, asset risk, access risk and audit risk. Since the economic benefits of consolidation are so evident, organizations frequently rush to implementation while not fully dealing with the risk factors.
Fortunately, a holistic approach exists that not only mitigates these key challenges, but also allows information leaders to overcome some of the political challenges that permeate their consolidation efforts.
First, we must explore some fundamental concepts. From an information viewpoint, we’ve seen astronomical growth in storage capacity, leading to the rise of information lifecycle management (ILM), which represents how information is managed, moved and viewed within an organization.
We’ve followed this with a dramatic increase in our transaction processing capability. Finally, we’ve made it easy to provide information beyond our corporate borders to our customers and business partners. In essence, we’ve become a high-performance, information-dependent machine.
Does that make us more vulnerable? Absolutely.
If that’s the case, what are the risk factors? The media has been awash with coverage of information breaches, illegal access, lost tapes, etc. Information, as we’ve articulated, has value—even in the wrong hands.
Exacerbating all this is compliance. Depending on your markets, you may be subject to a variety of regulatory constraints about the information you harbor. Also consider the financial risk factor. If the malcontents and the regulators don’t get you, the market certainly will, even at the hint of a breach. So, let’s consider each of the risk factors in turn, and then address mitigation.
Risk Factor 1: Information Risk
Data center consolidation represents an incredible concentration of information on an infrastructure that’s highly accessible. Remember that not all data is created equal, with some being much more sensitive than others. However, because the economics of the new data center are so compelling, there is now a much broader variety of data within it.
Consider credit card information. In late 2004, Visa and MasterCard more closely aligned their respective approaches and created the Payment Card Industry (PCI) Data Security Standard. PCI information resides in the data center and must be protected. In addition, if an organization also provides health-related services or processing, it may include protected health information (PHI) as well.
Add to this email information, research, financial information, and intranet content, and you have terabytes of growing and disparate information all residing within the same data center. The capacity of the new data, along with the continued, rapid growth of information, challenges its ability to be effectively controlled.
Risk Factor 2: Asset Risk
Which assets contain the sensitive information? Great question, especially when we mix in server virtualization and storage area networks (SANs). The benefits of the afore-mentioned technologies are great, but it remains a challenge for most organizations to identify assets which contain some of the critical information we highlighted in Risk Factor 1. This is a major compliance challenge, as identification of critical assets is just as important as identifying the data which they contain.
Risk Factor 3: Access Risk
Once we have a base understanding of the critical information and assets within our new data center, how do we control access?
Organizations often have a vast array of not only authentication techniques, but also of authorization methods. Depending on their information, different assets might require different access methods, which may in turn be incongruous with other technologies in place.
To overcome access challenges, numerous technologies are thrown at the problem. These include but are not limited to router access controls, virtual LANs, firewalls, single sign on (SSO), intrusion detection, etc. Whether the information is distributed, concentrated, or virtualized, getting the policy in place for managing access remains a challenge.
Risk Factor 4: Audit Risk
Aggravating these challenges are the ever-increasing audit requirements. It doesn’t matter whether you’re a privately held entity not controlled by the Sarbanes-Oxley Act, or if you just have sensitive information, you’re going to have to prove that you have the requisite controls in place and that they’re working.
Even within a consolidated data center, collecting information is difficult, especially since audit information may have to be correlated with other information outside the data center. Activating specific auditing functionality within point products might not only result in large log files and trigger a number of events, but may in fact impact operational and transactional performance as well.
This, of course, runs counter to some of the justification for consolidating the data center in the first place.
These risk factors aren’t going away; in fact, one may argue that they’re only getting worse. Outsourcing is not a cure-all either, as service providers are also dealing with these challenges.
Moving forward, it’s imperative for a broader array of stakeholders to be involved in the up-front efforts to tackle the risk factors. Though technology is evolving to address these issues, it does not preclude the need for cross-functional planning and a candid assessment of requirements.
Robert Ciampa is vice president of marketing and business strategy at Trusted Network Technologies, a provider of identity audit and access control solutions.